Time-Based access lists

An access list is a sequential list consisting of at least one permit statement and possibly one or more deny statements that apply to IP addresses and possibly upper-layer IP protocols. Time-based ACLs is a Cisco feature introduced in the Release 12.0.1.T to allow access control based on time. The time range, identified by a name, can be ‘absolute‘ or ‘periodic‘.

Use time-based access list is easy and can be useful in some situations. To implement it, you need:

1. Define time-range
2. Define ACL, where the time-range is applied to
3. Apply ACL; for istance: to the interface, to the vty, to the control-plane, …

Examples #1: Periodic Time
Permit SSH router access on the weekends from 8:00 to 22:00.

1. Define time-range

   Ciscozine(config)#time-range time-ssh
   Ciscozine(config-time-range)#periodic weekend 08:00 to 22:00

2. Define ACL

   Ciscozine(config)#ip access-list extended permit-ssh
   Ciscozine(config-ext-nacl)#permit tcp any any eq 22 time-range time-ssh

3. Apply ACL

   Ciscozine(config)#line vty 0 4
   Ciscozine(config-line)#access-class permit-ssh in

Example #2: Absolute time
Block SNMP protocol from 1st March 2011:

1. Define time-range

   Ciscozine(config)#time-range time-snmp
   Ciscozine(config-time-range)#absolute start 00:00 1 March 2011

2. Define ACL

   Ciscozine(config)#ip access-list extended deny-snmp
   Ciscozine(config-ext-nacl)#deny udp an an eq snmp time-range time-snmp
   Ciscozine(config-ext-nacl)#permit ip any any

3. Apply ACL

   Ciscozine(config)#interface fastEthernet 0/1
   Ciscozine(config-if)#ip access-group deny-snmp in

Remember: To check if a time-based access lists is active or not, use the ‘show ip access-list’ or the ‘show time-range’ command

Below the video with the two examples:

References: http://www.cisco.com/…products_tech_note.shtml#timebasedtimerange